Exploits

A time-based blind SQL injection exists in the mobiquo/lib/classTTForum.php file in the Tapatalk for MyBB Plugin, for versions prior to 4.5.8. The vulnerability allows an unauthenticated user to inject SQL as part of the user registration process. The injection occurs within a SELECT statement and as such could be used to extract data from the database.

CVSS v2 Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Proof of Concept

Set the correct host header on the below request and send it to a MySQL based installation of MyBB with the Tapatalk plugin installed.

A persistent Cross-site Scripting (XSS) vulnerability exists in the /xmlhttp.php file in MyBB (aka MyBulletinBoard) versions before 1.8.5 which allows remote attackers (authenticated and in some cases unauthenticated) to inject arbitrary web script or HTML into their posts. Whilst the injected code is not rendered in posts themselves, if the post's quick edit AJAX URL is opened in a browser window, the injected code would be rendered. Since administrators / moderators can use the quick edit feature on any posts, this vulnerability could be used to target administrator / moderator accounts.

CVSS v2 Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C)

Proof of Concept

Create a post with the content set to:

<script>alert(1)</script>

Get the ID of the post from the HTML (there are numerous locations where it is used) and use it in the following URL:

Open the URL in a browser window. The JavaScript should execute and create an alert box with the contents "1". This URL will work for the user who created the post, administrators, super moderators, and moderators with permissions to edit posts in the forum the post was made. All other users will see a permissions error.

A persistent Cross-site Scripting (XSS) vulnerability exists in Polycom RealPresence CloudAXIS Suite versions prior to 1.7.0 which allows a remote authenticated user to inject arbitrary JavaScript or HTML into the application. Injected code is rendered and executed by a victim's web browser as soon as they join the session.